Entries in honeypot
(8)

Wow, it has been a long time since I have posted. I plan to rectify my posting frequency problems, starting now. Last weekend @p4r4n0y1ng and I (@TekDefense) gave a presentation on Honeypots called "Catch More Honeys when you are fly" at BSidesNola. See the slides below:

As many of you know from previous posts, I am a big fan of honeypots, particularly Kippo. My main Kippo instance sitting in AWS has been online for over a year now. Let's take a look at what we have captured and learned over this past year. If you want to validate any of these statistics I have made the raw logs available for download.

Passwords:

One of my favorite uses of kippo data is to generate wordlists from login attempts. I wrote a quick script to parse the kippo logs and pull out all passwords and unique them into a wordlist. Feel free to grab. Additionally I made the wordlists available for download.

Using Pipal I performed analysis of all the login attempts over this year:

Two items of note here are that over 60% of password attempts were 1-8 characters. 40% of attempts were for lowercase alpha characters only. The most used password was 123456. This is the default pass for Kippo.

If a user attempts to create an account or change the root password in a Kippo session those passwords are captured and added to the allowed credentials list. The following credentials were created:

root:0:albertinoalbert123

root:0:fgashyeq77dhshfa

root:0:florian12eu

root:0:hgd177q891999wwwwwe1.dON

root:0:iphone5

root:0:kokot

root:0:nope

root:0:picvina

root:0:scorpi123

root:0:test

root:0:xiaozhe

root:0:12345

root:0:bnn318da9031kdamfaihheq1fa

root:0:ls

root:0:neonhostt1

root:0:wget123

Downloads:

When an attacker attempts to download a tool via wget, within Kippo we allow that file to be downloaded, although they cannot interact with it. With this we are able to get a copy of whatever is being downloaded. In most cases these are IRC bots, but not all. I have made them all available for download.

Here is a listing of all the files:

*Duplicates and obviously legitimate files have been removed from the list.

TTY Replay Sessions:

My absolute favorite feature of Kippo is the ability to replay interactive sessions of attacker activity. Watching these replays gives us an idea of what attackers do once inside a session. For instance almost every session begins with a "w" which shows logged in users and uptime, and then a "uname -a" to show them system details. I made a Youtube series called The Kippo Kronicles a while back to showcase some of these sessions. While I don't have the time necessary to continue putting up videos for each session I have put the output of each session up at this Github Repo.

Conclusion:

After a year with Kippo, I have learned a lot about what these basic attackers do when connecting to seemingly open ssh hosts. There is plenty more to learn though. I have some plans on building out a larger honeypot infrastructure, and automating some of the data collection and parsing. Additionally I would like to spend more time analyzing the sessions and malware for further trends. I'll keep you all posted!

In this episode of TekTip, I am going to show a unique method to drive traffic to your Honeypot. While I use Kippo as the example this approach will work for any Honeypot.

*If you do not know what Kippo is, shame on you. Watch this, this, and this to get caught up.

Now let's get to it. The first thing we need to do is prep our Kippo Instance so that we can measure the results of the approach. Log into your Kippo Honeypot, probably on HoneyDrive. Once logged in go to your kippo install directory and navigate to the data folder.

If using Honeydrive it will look something like this:

cd /opt/kippo/data

Now use the cat command to see what you currently have as allowable credentials in your userdb.txt.

cat userdb.txt

root:0:123456

root:0:abc123

root:0:p@ssw0rd

This is what I have. As you can see I allow 3 of the top 10 most used passwords. Now we want to add credentials that will be unique enough that they should not be attempted by your average attacker. Open userdb.txt in your favorite text editor and add a new line with the credentials you want to use. I added one for root:0:IamSo1337!. Running "cat userdb.txt" again shows the following:

cat userdb.txt

root:0:123456

root:0:abc123

root:0:p@ssw0rd

root:0:IamSo1337!

That takes care of the prep. Now if you are doing this with something other than Kippo, those previous steps won't apply. If whatever Honeypot you are using has the ability to let attackers authenticate you will want to set up a unique set of credentials for the experiment. If not, press on.

We will now use Social Networks against are attackers. To put it simply we are going to post login information for our Honeypot on a public site like pastebin, and then alert attackers to the information by posting a link to the paste file on social networks like Twitter.

You may want to keep the rest of the activity as anonymous as possible, so fire up Tor Browser or use proxychains to hide your IP information. Once anonymized go to pastebin.com.

The trick to getting this to work properly is to utilize keywords that attackers may have PasteLerts set up for. For instance you will want to include keywords such as ssh, login, username, password, root, and many others. Make sure you use some of these keywords in the title as well. Here is a sample one I put together:

Submit this and get your pastebin url. Now this will be enough to bring in a few extra hits already, from people who are monitoring pastebin. To get even more folks to see this though we will need to take it a step further.

While still anonymizing your activity create a throwaway twitter account. As many people as there are that monitor pastebin, there are even more that monitor twitter (at least I am guessing so). In particular there are certain twitter users and list that people follow to get password dumps as they occur. My favorite of these is @PastebinDorks.

With your new twitter account create a tweet that mentions @PastebinDorks or another account like that. Have it say something along the lines of, "Check out this one! http://pastebin.com/qi7wzp8h". Now anyone that follows @PastebinDorks will see your post. You may get lucky enough to have someone retweet it a few times.

Now you can just sit back and wait for the conenctions to roll in. While I used twitter and pastebin in my example, this can be done with any like tools. The point is to get the data out there in the public and then use social networks to increase exposure.

To monitor your kippo logs to see when attackers use the user/pass combination you specified in the userdb.txt. navigate to your kippo logs directory and and do the following:

In this episode of the Kippo Kroicles we replay the attack of the most advanced of all attackers, the APT Attacker. Okay, not quite. In fact calling this guy (or maybe gal) an APT'er is like calling your chubby friend slim. I get typing dir in once on accident, but to repeatedly try to type dir in linux, come on now. Anyways, I have a ton of logs stored up and ready to videotize. More to come.